fuse-open
GithubOAuth tells users to distribute their client secrets
The GithubOAuth example uses OAuth2's authorization code grant. This is fine if you can delegate the authorization to a server you own and store the client secret there, but this isn't the case here. The README instructs users to paste their client secret into the app. This is a very bad idea™, as these can very easily be extracted from the exported package.
To be fair, there is a security warning in the README, but "Note:" is not how you tell people about fundamental security flaws.
There does exist another OAuth flow, implicit grant, which doesn't require a client secret. GitHub does not support this, however.
We should either provide some basic server code, or switch to a different provider for this example.
i'm not sure i want to remove the example completely as i think it serves some instructional value (the flow doesn't change that much with a different grant type..); what if we just made the "Note" into a big disclaimer and changed the wording into something a bit more agressive?
What do you think @sebbert ?
Also, I'm expanding the section on OAuth in the REST article quite a bit, so we'll have some more docs on this soon.